[*] Binary protection state of fwmgr
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function system tear down of fwmgr
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-50593792.squashfs_v4_le_extract/usr/sbin/fwmgr @ 0x874c */
| #include <stdint.h>
|
; (fcn) fcn.0000874c () | void fcn_0000874c (int16_t arg1, int16_t arg2) {
| r0 = arg1;
| r1 = arg2;
| do {
0x000028c4 bx pc | return void (*pc)() ();
0x0000874c push {r3, r4, r5, lr} |
0x0000874e mov r5, r0 | r5 = r0;
0x00008750 ldr r0, [pc, 0x24] |
0x00008752 mov r4, r1 | r4 = r1;
0x00008754 add r0, pc | r0 = 0x10ed0;
0x00008756 blx 0x2d88 | fcn_00002d88 ();
| if (r4 != 0) {
0x0000875a cbz r4, 0x8768 |
0x0000875c ldr r1, [pc, 0x1c] |
0x0000875e mov r2, r4 | r2 = r4;
0x00008760 movs r0, 1 | r0 = 1;
0x00008762 add r1, pc | r1 = 0x10ee2;
0x00008764 blx 0x28c8 | system (r0)
| }
0x00008768 ldr r1, [pc, 0x14] |
0x0000876a mov r2, r5 | r2 = r5;
0x0000876c movs r0, 1 | r0 = 1;
0x0000876e pop.w {r3, r4, r5, lr} |
0x00008772 add r1, pc | r1 = 0x10ef6;
0x00008774 b.w 0x28c4 |
| } while (1);
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-50593792.squashfs_v4_le_extract/usr/sbin/fwmgr @ 0xc2dc */
| #include <stdint.h>
|
; (fcn) fcn.0000c2dc () | void fcn_0000c2dc (int16_t arg1, int16_t arg2) {
| int16_t var_0h;
| int16_t var_4h;
| r0 = arg1;
| r1 = arg2;
0x0000c2dc push.w {r4, r5, r6, r7, r8, sb, sl, lr} |
0x0000c2e0 sub sp, 8 |
0x0000c2e2 ldr r4, [pc, 0x234] |
0x0000c2e4 movs r6, 1 | r6 = 1;
0x0000c2e6 mov r8, r1 | r8 = r1;
0x0000c2e8 ldr r2, [pc, 0x230] | r2 = *(0xc51c);
0x0000c2ea add r4, pc | r4 = 0x18808;
0x0000c2ec ldr r5, [pc, 0x230] |
0x0000c2ee ldr r3, [pc, 0x234] | r3 = *(0xc526);
0x0000c2f0 ldr r2, [r4, r2] |
0x0000c2f2 mov r4, r0 | r4 = r0;
0x0000c2f4 add r5, pc | r5 = 0x18818;
0x0000c2f6 ldr r2, [r2] | r2 = *(0x18808);
0x0000c2f8 str r2, [sp, 4] | var_4h = r2;
0x0000c2fa mov.w r2, 0 | r2 = 0;
0x0000c2fe ldr r2, [pc, 0x228] |
0x0000c300 ldr r7, [r5, r3] | r7 = *(0x18818);
0x0000c302 add r2, pc | r2 = 0x18830;
0x0000c304 str r6, [r7] | *(r7) = r6;
0x0000c306 blx 0x2ad8 | r0 = sd_bus_error_set_const ();
0x0000c30a adds r3, r0, 1 | r3 = r0 + 1;
| if (r3 == r0) {
0x0000c30c beq 0xc32a | goto label_1;
| }
0x0000c30e cmp r0, 0x68 |
0x0000c310 beq 0xc316 |
| while (1) {
| label_0:
0x0000c312 bl 0xc200 | fcn_0000c200 ();
0x0000c316 ldr r1, [pc, 0x214] |
0x0000c318 mov r0, r6 | r0 = r6;
0x0000c31a ldr.w r2, [r8] | r2 = *(r8);
0x0000c31e add r1, pc | r1 = 0x18850;
0x0000c320 blx 0x28c8 | system (r0)
0x0000c324 movs r0, 0 | r0 = 0;
0x0000c326 blx 0x2f7c | memset_chk ();
| label_1:
0x0000c32a ldr r7, [r7] | r7 = *(r7);
0x0000c32c cmp r7, r4 |
| if (r7 < r4) {
0x0000c32e bge 0xc390 |
0x0000c330 ldr.w sl, [r8, r7, lsl 2] | offset_0 = r7 << 2;
| sl = *((r8 + offset_0));
0x0000c334 lsl.w sb, r7, 2 | sb = r7 << 2;
0x0000c338 ldr r1, [pc, 0x1f4] |
0x0000c33a mov r0, sl | r0 = sl;
0x0000c33c add r1, pc | r1 = 0x18870;
0x0000c33e blx 0x2f70 | r0 = vdprintf_chk ();
| if (r0 != 0) {
0x0000c342 cbz r0, 0xc36c |
0x0000c344 ldr r1, [pc, 0x1ec] |
0x0000c346 mov r0, sl | r0 = sl;
0x0000c348 add r1, pc | r1 = 0x18880;
0x0000c34a blx 0x2f70 | r0 = vdprintf_chk ();
| if (r0 != 0) {
0x0000c34e cbnz r0, 0xc3a4 | goto label_2;
| }
0x0000c350 adds r7, 1 | r7++;
0x0000c352 cmp r7, r4 |
| if (r7 < r4) {
0x0000c354 blt 0xc42e | goto label_3;
| }
0x0000c356 ldr r3, [pc, 0x1e0] |
0x0000c358 movs r2, 0x2e | r2 = 0x2e;
0x0000c35a ldr r0, [pc, 0x1e0] |
0x0000c35c mov r1, r6 | r1 = r6;
0x0000c35e ldr r3, [r5, r3] | r3 = *((r5 + r3));
0x0000c360 add r0, pc | r0 = 0x188a2;
0x0000c362 ldr r3, [r3] | r3 = *(0xc53a);
0x0000c364 blx 0x2c1c | stpcpy_chk ();
0x0000c368 bl 0xc200 | fcn_0000c200 ();
| }
0x0000c36c mov r7, sp | r7 = sp;
0x0000c36e str r0, [sp] | *(sp) = r0;
0x0000c370 mov r0, r7 | r0 = r7;
0x0000c372 bl 0xc6b0 | r0 = fcn_0000c6b0 (r0);
0x0000c376 cmp r0, 0 |
| if (r0 != 0) {
0x0000c378 bne 0xc454 | goto label_4;
| }
0x0000c37a ldr r3, [pc, 0x1bc] |
0x0000c37c movs r2, 0x34 | r2 = 0x34;
0x0000c37e ldr r0, [pc, 0x1c0] |
0x0000c380 mov r1, r6 | r1 = r6;
0x0000c382 ldr r3, [r5, r3] | r3 = *((r5 + r3));
0x0000c384 add r0, pc | r0 = 0x188ca;
0x0000c386 ldr r3, [r3] | r3 = *(0xc53a);
0x0000c388 blx 0x2c1c | stpcpy_chk ();
0x0000c38c bl 0xc200 | fcn_0000c200 ();
| }
0x0000c390 ldr r3, [pc, 0x1a4] |
0x0000c392 movs r2, 0x18 | r2 = 0x18;
0x0000c394 ldr r0, [pc, 0x1ac] |
0x0000c396 mov r1, r6 | r1 = r6;
0x0000c398 ldr r3, [r5, r3] | r3 = *((r5 + r3));
0x0000c39a add r0, pc | r0 = 0x188e2;
0x0000c39c ldr r3, [r3] | r3 = "_";
0x0000c39e blx 0x2c1c | stpcpy_chk ();
0x0000c3a2 b 0xc312 |
| }
| label_2:
0x0000c3a4 ldr r1, [pc, 0x1a0] |
0x0000c3a6 mov r0, sl | r0 = sl;
0x0000c3a8 add r1, pc | r1 = 0x188f4;
0x0000c3aa blx 0x2f70 | r0 = vdprintf_chk ();
0x0000c3ae cmp r0, 0 |
| if (r0 == 0) {
0x0000c3b0 beq 0xc438 | goto label_5;
| }
0x0000c3b2 ldr r1, [pc, 0x198] |
0x0000c3b4 mov r0, sl | r0 = sl;
0x0000c3b6 add r1, pc | r1 = 0x18908;
0x0000c3b8 blx 0x2f70 | vdprintf_chk ();
0x0000c3ba ldcl p8, c2, [sl] | __asm ("ldcl p8, c2, [sl]");
| if (r0 != 0) {
0x0000c3be bne 0xc478 | goto label_6;
| }
0x0000c3c0 adds r7, 1 | r7++;
0x0000c3c2 movs r3, 0 | r3 = 0;
0x0000c3c4 cmp r7, r4 |
0x0000c3c6 mov r7, sp | r7 = sp;
0x0000c3c8 ite lt |
| if (r7 >= r4) {
0x0000c3ca addlt sb, r8 | sb += r8;
| }
| if (r7 < r4) {
0x0000c3cc movge r8, r0 | r8 = r0;
| }
0x0000c3ce mov r0, r7 | r0 = r7;
0x0000c3d0 it lt |
| if (r7 >= r4) {
0x0000c3d2 ldrlt r8, [sb, 4] | r8 = *((sb + 4));
| }
0x0000c3d6 str r3, [sp] | *(sp) = r3;
0x0000c3d8 bl 0xc6b0 | r0 = fcn_0000c6b0 (r0);
0x0000c3dc cmp r0, 0 |
| if (r0 == 0) {
0x0000c3de beq 0xc4ce | goto label_7;
| }
0x0000c3e0 ldr.w sb, [pc, 0x16c] |
0x0000c3e4 ldr r4, [sp] | r4 = *(sp);
0x0000c3e6 add sb, pc | sb = 0x1893a;
| do {
0x0000c3e8 cmp r4, 0 |
| if (r4 == 0) {
0x0000c3ea beq 0xc46c | goto label_8;
| }
0x0000c3ec cmp.w r8, 0 |
| if (r8 != 0) {
0x0000c3f0 beq 0xc3fc |
0x0000c3f2 mov r1, r4 | r1 = r4;
0x0000c3f4 mov r0, r8 | r0 = r8;
0x0000c3f6 blx 0x2f70 | r0 = vdprintf_chk ();
| if (r0 != 0) {
0x0000c3fa cbnz r0, 0xc428 | goto label_9;
| }
| }
0x0000c3fc mov.w r2, 0x1a4 | r2 = 0x1a4;
0x0000c400 movs r1, 0xc1 | r1 = 0xc1;
0x0000c402 mov r0, r4 | r0 = r4;
0x0000c404 blx 0x2730 | r0 = open (r0, r1, r2);
0x0000c408 subs r6, r0, 0 | r6 = r0 - 0;
| if (r6 < r0) {
0x0000c40a blt 0xc4e4 | goto label_10;
| }
0x0000c40c ldrd r1, r2, [r4, 0xc4] | __asm ("ldrd r1, r2, [r4, 0xc4]");
0x0000c410 blx 0x29e4 | r0 = fcn_000029e4 ();
0x0000c414 cmp r0, 0 |
| if (r0 < 0) {
0x0000c416 blt 0xc4fa | goto label_11;
| }
0x0000c418 mov r0, r6 | r0 = r6;
0x0000c41a blx 0x2bf8 | EVP_PKEY_verify_init ();
0x0000c41e mov r2, r4 | r2 = r4;
0x0000c420 mov r1, sb | r1 = sb;
0x0000c422 movs r0, 1 | r0 = 1;
0x0000c424 blx 0x28c8 | system (r0)
| label_9:
0x0000c428 ldr.w r4, [r4, 0xcc] | r4 = *((r4 + 0xcc));
0x0000c42c b 0xc3e8 |
| } while (1);
| label_3:
0x0000c42e add sb, r8 | sb += r8;
0x0000c430 ldr.w r0, [sb, 4] | r0 = *((sb + 4));
0x0000c434 bl 0xc208 | fcn_0000c208 (r0, r1, r2, r3, r4, r5, r6);
| label_5:
0x0000c438 adds r7, 1 | r7++;
0x0000c43a cmp r7, r4 |
| if (r7 < r4) {
0x0000c43c blt 0xc49a | goto label_12;
| }
0x0000c43e ldr r3, [pc, 0xf8] |
0x0000c440 movs r2, 0x2c | r2 = 0x2c;
0x0000c442 ldr r0, [pc, 0x110] |
0x0000c444 mov r1, r6 | r1 = r6;
0x0000c446 ldr r3, [r5, r3] | r3 = *((r5 + r3));
0x0000c448 add r0, pc | r0 = 0x189a2;
0x0000c44a ldr r3, [r3] | r3 = *(0xc53a);
0x0000c44c blx 0x2c1c | stpcpy_chk ();
0x0000c450 bl 0xc200 | fcn_0000c200 ();
| label_4:
0x0000c454 ldr r0, [pc, 0x100] |
0x0000c456 add r0, pc | r0 = 0x189b2;
0x0000c458 blx 0x2d88 | fcn_00002d88 ();
0x0000c45c ldr r4, [sp] | r4 = *(sp);
| do {
| if (r4 == 0) {
0x0000c45e cbz r4, 0xc46c | goto label_8;
| }
0x0000c460 mov r0, r4 | r0 = r4;
0x0000c462 blx 0x2d88 | fcn_00002d88 ();
0x0000c466 ldr.w r4, [r4, 0xcc] | r4 = *((r4 + 0xcc));
0x0000c46a b 0xc45e |
| } while (1);
| label_8:
0x0000c46c mov r0, r7 | r0 = r7;
0x0000c46e bl 0xc688 | fcn_0000c688 (r0);
0x0000c472 mov r0, r4 | r0 = r4;
| do {
0x0000c474 blx 0x2f7c | memset_chk ();
| label_6:
0x0000c478 ldr r1, [pc, 0xe0] |
0x0000c47a mov r0, sl | r0 = sl;
0x0000c47c add r1, pc | r1 = 0x189dc;
0x0000c47e blx 0x2f70 | r0 = vdprintf_chk ();
0x0000c482 mov r4, r0 | r4 = r0;
| if (r0 != 0) {
0x0000c484 cbnz r0, 0xc4c4 | goto label_13;
| }
0x0000c486 ldr r1, [pc, 0xd8] |
0x0000c488 mov r0, r6 | r0 = r6;
0x0000c48a ldr.w r2, [r8] | r2 = *(r8);
0x0000c48e add r1, pc | r1 = 0x189f4;
0x0000c490 blx 0x28c8 | system (r0)
0x0000c494 mov r0, r4 | r0 = r4;
0x0000c496 blx 0x2f7c | memset_chk ();
| label_12:
0x0000c49a add sb, r8 | sb += r8;
0x0000c49c ldr.w r4, [sb, 4] | r4 = *((sb + 4));
0x0000c4a0 mov r0, r4 | r0 = r4;
0x0000c4a2 bl 0xc958 | r0 = fcn_0000c958 (r0);
0x0000c4a6 cmp r0, 0 |
0x0000c4a8 beq 0xc474 |
| } while (r0 == 0);
0x0000c4aa cmp r0, 2 |
| if (r0 != 2) {
0x0000c4ac bne.w 0xc312 | goto label_0;
| }
0x0000c4b0 ldr r2, [pc, 0xb0] |
0x0000c4b2 mov r3, r4 | r3 = r4;
0x0000c4b4 ldr r0, [pc, 0x80] | r0 = "_";
0x0000c4b6 add r2, pc | r2 = 0x18a1e;
| do {
0x0000c4b8 ldr r0, [r5, r0] | r0 = *((r5 + r0));
0x0000c4ba mov r1, r6 | r1 = r6;
0x0000c4bc ldr r0, [r0] | r0 = *(r0);
0x0000c4be blx 0x2cf4 | sd_bus_call_method ();
0x0000c4c2 b 0xc312 | goto label_0;
| label_13:
0x0000c4c4 ldr r2, [pc, 0xa0] |
0x0000c4c6 mov r3, sl | r3 = sl;
0x0000c4c8 ldr r0, [pc, 0x6c] | r0 = "_";
0x0000c4ca add r2, pc | r2 = 0x18a36;
0x0000c4cc b 0xc4b8 |
| } while (1);
| label_7:
0x0000c4ce ldr r3, [pc, 0x68] |
0x0000c4d0 movs r2, 0x34 | r2 = 0x34;
0x0000c4d2 ldr r0, [pc, 0x98] |
0x0000c4d4 movs r1, 1 | r1 = 1;
0x0000c4d6 ldr r3, [r5, r3] | r3 = *((r5 + r3));
0x0000c4d8 add r0, pc | r0 = 0x18a4a;
0x0000c4da ldr r3, [r3] | r3 = *(0xc53a);
0x0000c4dc blx 0x2c1c | stpcpy_chk ();
0x0000c4e0 bl 0xc200 | fcn_0000c200 ();
| label_10:
0x0000c4e4 ldr r0, [pc, 0x50] |
0x0000c4e6 mov r3, r4 | r3 = r4;
0x0000c4e8 ldr r2, [pc, 0x84] |
0x0000c4ea movs r1, 1 | r1 = 1;
0x0000c4ec ldr r0, [r5, r0] | r0 = *((r5 + r0));
0x0000c4ee add r2, pc | r2 = 0x18a62;
0x0000c4f0 ldr r0, [r0] | r0 = "_";
0x0000c4f2 blx 0x2cf4 | sd_bus_call_method ();
0x0000c4f6 bl 0xc200 | fcn_0000c200 ();
| label_11:
0x0000c4fa ldr r1, [pc, 0x3c] | r1 = *(0xc53a);
0x0000c4fc mov r3, r4 | r3 = r4;
0x0000c4fe ldr r2, [pc, 0x74] |
0x0000c500 ldr r1, [r5, r1] | r1 = *((r5 + r1));
0x0000c502 add r2, pc | r2 = 0x18a7c;
0x0000c504 ldr r0, [r1] | r0 = *(0xc53a);
0x0000c506 movs r1, 1 | r1 = 1;
0x0000c508 blx 0x2cf4 | sd_bus_call_method ();
0x0000c50c mov r0, r6 | r0 = r6;
0x0000c50e blx 0x2bf8 | EVP_PKEY_verify_init ();
0x0000c512 bl 0xc200 | fcn_0000c200 ();
0x0000c516 nop |
0x0000c518 cmp r1, 0x52 |
0x0000c51a movs r2, r0 | r2 = r0;
0x0000c51c lsls r4, r1, 0xd | r4 = r1 << 0xd;
0x0000c51e movs r0, r0 |
0x0000c520 cmp r1, 0x48 |
0x0000c522 movs r2, r0 | r2 = r0;
0x0000c524 lsls r4, r5, 0xc | r4 = r5 << 0xc;
0x0000c526 movs r0, r0 |
0x0000c528 b 0xc930 | return void (*0xc930)() ();
| }
[*] Function system used 5 times fwmgr
